Supply and Demand (for security)

2018 was the year that raised the alarm in earnest about potential vulnerabilities in the supply chain for enterprise computing systems.

But with such diverse networks and widespread dependence on third parties, how can organizations expect to plug all potential leaks? Karen Epper Hoffman reports.

It sounds like the stuff of a modern-day John LeCarre novel: The Chinese government asserting influence into the operations of hardware developer Super Micro Computer Inc. to spy on the enterprises to which Supermicro supplies computer chips.

First detailed in an early October Bloomberg Businessweek article, this story was quickly denied and recanted by several high-profile industry experts, including some of the 17 sources cited in the initial piece. However, this tale of seeming cyberspy intrigue along with similar stories in recent years have shown a spotlight on the vulnerabilities of the enterprise supply chain.

“This story is an extreme use case, but it justifies the need for governments [and companies] to do extensive and thorough assessments of their vendors and hardware,” says Itay Kozuch, director of threat research for IntSights Cyber Intelligence. “While it may seem inefficient, the one time in a million assessments that you catch something is worth the cost.”

A potential problem at Supermicro raised alarms because the company manufactures computer hardware used by business giants like Amazon and Apple, as well as the U.S. government, including the Department of Defense and the Central Intelligence Agency.

Jacob Ansari, senior manager for Schellman & Company LLC, points out the typical supply chain is “bigger than manufactured components in factories and older than the Supermicro event or non-event, depending on how you regard that [story].”

The supposed Supermicro compromise is not an isolated event, he adds, since there have long been well-documented supply chain attacks in point-of-sale software, where the attackers had compromised a third-party component, thus backdooring the POS before it even shipped to the merchant.

Matt Wilson, chief information security advisor at BTB Security, believes the Supermicro story highlights a supply chain risk which is “well-known in government circles, but relatively unknown to most [private-sector] organizations.” On the heels of this and similar cyberspying stories, Wilson and his team have seen “a slight uptick in interest from some of our enterprise customers, as well as smaller organizations that have more mature information security programs.”

A recent Crowdstrike report, Securing the Supply Chain, which surveyed 1,300 senior IT decisionmakers and security professionals, found 87 percent had suffered a supply chain attack even after implementing full strategy or having a preplanned response in place.

Nearly as many in the U.S. – 80 percent – think supply chain attacks potentially will become one of the biggest threats of the next three years.

“It’s clear that supply chain attacks are becoming a business-critical issue…but organizations largely lack the knowledge, tools, and technology to be protected,” says Shawn Henry, president of CrowdStrike Services and CSO, in a release. “Knowledge gaps and the lack of established standards to prevent complex supply chain attacks are putting organizations at risk from a financial, reputational, and operational perspective.”

Wilson notes that “implementing any mitigating controls, or even credibly assessing supply chain threats, remains far beyond the capabilities of all but a few organizations, namely massive enterprises like Amazon or the government.”

Indeed, the Crowdstrike study found only 37 percent of U.S.-based respondents said their organizations had vetted all suppliers over the last year.

Security in scarce supply?

As enterprises, big and small, public- and private-sector, become increasingly dependent on third-party providers throughout every step of their supply chain in order to reduce costs and improve efficiencies, the concern over supply chain interlopers is likely to increase.

A range of valuable and sensitive information is typically shared with suppliers, and “when that information is shared, direct control is lost,” according to Steve Durbin, managing director of the Information Security Forum. “This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, organizations must focus on the weakest spots in their supply chains.”

While “supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy,” Durbin says, “security chiefs everywhere are concerned about how open they are to an abundance of risk factors.”

Ken Dort, partner with the law firm Drinker Biddle & Reath LLP, believes that rather than change their usage of suppliers entirely, organizations must incorporate additional review consideration into existing processes.

“As we have always known, cyber defense is a dynamic process always subject to change and evolution to respond to the always-changing cyber landscape,” Dort says. “The novelty of these developments has opened people’s eyes, just as any cyber event does, to their respective vulnerabilities on the cyber front.”

James Tillett, founder and principal of Endeavor Engineering Inc., points out that the Supermicro scandal focused on hardware supply concerns, “but of course most systems also include software.” Hence, he says it becomes more critical for enterprises to create a secure overlay to effectively create a closed network layer for critical points in the supply chain with distributed, potentially global authenticated nodes that are physically secured and more frequently inspected for inevitable intrusions.

When enterprises utilize an entire third-party software stack, the “Trojan Horse” could lie in an application’s installation scripts, its code, media artifacts and run-time libraries or a DLL, which can make such threats quite difficult to weed out. “Software deliverables often have dependencies on deprecated or versions of run-time libraries or DLLs – for reasons of interoperability or other technical concerns – and can’t be easily patched or updated,” says a Comodo spokesperson.

Get ahead of the problem

While not all security compromises can be prevented beforehand, Durbin points out that “being proactive now means that you, and your suppliers, will be better able to react quickly and intelligently when something does happen.”

Although attack methods and motivations vary, “understanding the ‘why’ can provide insight into the techniques that may best serve an attacker. In our connected environments, while we can prioritize risks based on impact, organizations cannot ignore any potential attacks,” says Edna Conway, CSO of Cisco’s Global Value Chain.

For the overwhelming majority of organizations that continue to struggle with the fundamentals like patching, hardening and monitoring, Wilson says “they may be concerned by this news, but what can they feasibly do?” Even well-resourced and high-profile targets like Amazon and government agencies like the National Security Agency, which already spend time and resources validating existing processes for supply chain risk and tweaking systems and processes, should largely be addressing this risk more frequently, he adds.

While there are no easy solutions, Dort suggests enterprises should consider working with “fewer, but more high-quality vendors, and work toward having redundant options [and] be prepared to consider secondary vendors in the event of emergencies.”

Conway recommends organizations mitigate supply chain risk by:1. identifying key players in their third-party ecosystems and what they deliver; 2. developing flexible security architectures with a layered approach of physical security, security technology, logical operational security processes and behavioral security; 3. sharing and deploying their security architectures across its third parties; 4. assessing whether their third parties are operating within the tolerance levels set by their security architecture; and 5. being alert to new security risks especially as digitization and IT/OT convergence increases.

“Control what you can, recognize what you cannot, and make informed decisions based upon your risk tolerance and budget,” Wilson adds. “Take comfort in the fact that to subvert the supply chain, it requires tremendous resources, even though it’s easier to do than ever.”